mirror of
https://github.com/golang/go
synced 2024-11-18 12:34:42 -07:00
c97e576576
...and size initial buffers more accurately. Easy pickings only. More might remain. name old time/op new time/op delta CSSEscaper-8 1.17µs ± 1% 0.80µs ± 2% -31.55% (p=0.000 n=44+48) CSSEscaperNoSpecials-8 205ns ± 2% 204ns ± 3% -0.73% (p=0.014 n=46+49) DecodeCSS-8 438ns ± 2% 436ns ± 2% ~ (p=0.099 n=48+47) DecodeCSSNoSpecials-8 6.11ns ± 3% 5.93ns ± 3% -2.85% (p=0.000 n=50+48) CSSValueFilter-8 149ns ± 0% 145ns ± 0% -2.68% (p=0.000 n=32+35) CSSValueFilterOk-8 238ns ± 2% 234ns ± 2% -1.40% (p=0.000 n=49+47) EscapedExecute-8 2.53µs ± 2% 2.55µs ± 1% +0.87% (p=0.000 n=48+49) HTMLNospaceEscaper-8 1.35µs ± 2% 0.92µs ± 1% -31.74% (p=0.000 n=48+48) HTMLNospaceEscaperNoSpecials-8 278ns ± 2% 263ns ± 2% -5.17% (p=0.000 n=47+49) StripTags-8 778ns ± 2% 786ns ± 1% +0.96% (p=0.000 n=46+47) StripTagsNoSpecials-8 84.2ns ± 1% 84.1ns ± 1% ~ (p=0.300 n=48+48) JSValEscaperWithNum-8 506ns ± 2% 486ns ± 3% -3.82% (p=0.000 n=47+45) JSValEscaperWithStr-8 1.61µs ± 1% 1.64µs ± 1% +1.75% (p=0.000 n=44+49) JSValEscaperWithStrNoSpecials-8 548ns ± 2% 552ns ± 2% +0.78% (p=0.000 n=48+46) JSValEscaperWithObj-8 1.91µs ± 2% 1.87µs ± 1% -2.08% (p=0.000 n=49+47) JSValEscaperWithObjNoSpecials-8 735ns ± 2% 742ns ± 2% +1.01% (p=0.000 n=47+49) JSStrEscaperNoSpecials-8 228ns ± 4% 211ns ± 3% -7.53% (p=0.000 n=50+49) JSStrEscaper-8 1.11µs ± 1% 0.78µs ± 1% -29.94% (p=0.000 n=48+48) JSRegexpEscaperNoSpecials-8 214ns ± 2% 212ns ± 3% -1.12% (p=0.000 n=50+49) JSRegexpEscaper-8 1.17µs ± 0% 0.79µs ± 1% -31.92% (p=0.000 n=48+47) TemplateSpecialTags-8 172µs ± 1% 172µs ± 1% ~ (p=0.976 n=48+47) URLEscaper-8 1.88µs ± 2% 1.87µs ± 2% -0.56% (p=0.001 n=49+49) URLEscaperNoSpecials-8 162ns ± 1% 169ns ± 1% +3.76% (p=0.000 n=49+50) URLNormalizer-8 1.29µs ± 3% 1.29µs ± 2% -0.37% (p=0.041 n=48+48) URLNormalizerNoSpecials-8 185ns ± 1% 186ns ± 1% +0.15% (p=0.013 n=49+49) SrcsetFilter-8 616ns ± 1% 618ns ± 1% +0.36% (p=0.000 n=46+46) SrcsetFilterNoSpecials-8 359ns ± 0% 352ns ± 0% -1.93% (p=0.000 n=40+43) [Geo mean] 560ns 525ns -6.17% name old alloc/op new alloc/op delta CSSEscaper-8 672B ± 0% 336B ± 0% -50.00% (p=0.000 n=50+50) CSSEscaperNoSpecials-8 0.00B 0.00B ~ (all equal) DecodeCSS-8 160B ± 0% 160B ± 0% ~ (all equal) DecodeCSSNoSpecials-8 0.00B 0.00B ~ (all equal) CSSValueFilter-8 96.0B ± 0% 96.0B ± 0% ~ (all equal) CSSValueFilterOk-8 48.0B ± 0% 48.0B ± 0% ~ (all equal) EscapedExecute-8 688B ± 0% 624B ± 0% -9.30% (p=0.000 n=50+50) HTMLNospaceEscaper-8 752B ± 0% 368B ± 0% -51.06% (p=0.000 n=50+50) HTMLNospaceEscaperNoSpecials-8 48.0B ± 0% 32.0B ± 0% -33.33% (p=0.000 n=50+50) StripTags-8 224B ± 0% 224B ± 0% ~ (all equal) StripTagsNoSpecials-8 112B ± 0% 112B ± 0% ~ (all equal) JSValEscaperWithNum-8 96.0B ± 0% 40.0B ± 0% -58.33% (p=0.000 n=50+50) JSValEscaperWithStr-8 384B ± 0% 384B ± 0% ~ (all equal) JSValEscaperWithStrNoSpecials-8 96.0B ± 0% 96.0B ± 0% ~ (all equal) JSValEscaperWithObj-8 448B ± 0% 448B ± 0% ~ (all equal) JSValEscaperWithObjNoSpecials-8 160B ± 0% 160B ± 0% ~ (all equal) JSStrEscaperNoSpecials-8 0.00B 0.00B ~ (all equal) JSStrEscaper-8 672B ± 0% 336B ± 0% -50.00% (p=0.000 n=50+50) JSRegexpEscaperNoSpecials-8 0.00B 0.00B ~ (all equal) JSRegexpEscaper-8 672B ± 0% 336B ± 0% -50.00% (p=0.000 n=50+50) TemplateSpecialTags-8 48.0kB ± 0% 47.9kB ± 0% -0.13% (p=0.000 n=50+48) URLEscaper-8 336B ± 0% 336B ± 0% ~ (all equal) URLEscaperNoSpecials-8 112B ± 0% 112B ± 0% ~ (all equal) URLNormalizer-8 176B ± 0% 176B ± 0% ~ (all equal) URLNormalizerNoSpecials-8 112B ± 0% 112B ± 0% ~ (all equal) SrcsetFilter-8 160B ± 0% 160B ± 0% ~ (all equal) SrcsetFilterNoSpecials-8 160B ± 0% 160B ± 0% ~ (all equal) [Geo mean] 259B 216B -16.60% name old allocs/op new allocs/op delta CSSEscaper-8 4.00 ± 0% 2.00 ± 0% -50.00% (p=0.000 n=50+50) CSSEscaperNoSpecials-8 0.00 0.00 ~ (all equal) DecodeCSS-8 1.00 ± 0% 1.00 ± 0% ~ (all equal) DecodeCSSNoSpecials-8 0.00 0.00 ~ (all equal) CSSValueFilter-8 2.00 ± 0% 2.00 ± 0% ~ (all equal) CSSValueFilterOk-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) EscapedExecute-8 18.0 ± 0% 18.0 ± 0% ~ (all equal) HTMLNospaceEscaper-8 5.00 ± 0% 3.00 ± 0% -40.00% (p=0.000 n=50+50) HTMLNospaceEscaperNoSpecials-8 1.00 ± 0% 1.00 ± 0% ~ (all equal) StripTags-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) StripTagsNoSpecials-8 2.00 ± 0% 2.00 ± 0% ~ (all equal) JSValEscaperWithNum-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) JSValEscaperWithStr-8 2.00 ± 0% 2.00 ± 0% ~ (all equal) JSValEscaperWithStrNoSpecials-8 2.00 ± 0% 2.00 ± 0% ~ (all equal) JSValEscaperWithObj-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) JSValEscaperWithObjNoSpecials-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) JSStrEscaperNoSpecials-8 0.00 0.00 ~ (all equal) JSStrEscaper-8 4.00 ± 0% 2.00 ± 0% -50.00% (p=0.000 n=50+50) JSRegexpEscaperNoSpecials-8 0.00 0.00 ~ (all equal) JSRegexpEscaper-8 4.00 ± 0% 2.00 ± 0% -50.00% (p=0.000 n=50+50) TemplateSpecialTags-8 185 ± 0% 185 ± 0% ~ (all equal) URLEscaper-8 4.00 ± 0% 4.00 ± 0% ~ (all equal) URLEscaperNoSpecials-8 2.00 ± 0% 2.00 ± 0% ~ (all equal) URLNormalizer-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) URLNormalizerNoSpecials-8 2.00 ± 0% 2.00 ± 0% ~ (all equal) SrcsetFilter-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) SrcsetFilterNoSpecials-8 3.00 ± 0% 3.00 ± 0% ~ (all equal) [Geo mean] 3.41 3.05 -10.65% Change-Id: I809ea56495ce1881656af7e24621448ab64b449a Reviewed-on: https://go-review.googlesource.com/c/155919 Run-TryBot: Josh Bleecher Snyder <josharian@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
267 lines
7.3 KiB
Go
267 lines
7.3 KiB
Go
// Copyright 2011 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package template
|
|
|
|
import (
|
|
"bytes"
|
|
"fmt"
|
|
"strings"
|
|
"unicode/utf8"
|
|
)
|
|
|
|
// htmlNospaceEscaper escapes for inclusion in unquoted attribute values.
|
|
func htmlNospaceEscaper(args ...interface{}) string {
|
|
s, t := stringify(args...)
|
|
if t == contentTypeHTML {
|
|
return htmlReplacer(stripTags(s), htmlNospaceNormReplacementTable, false)
|
|
}
|
|
return htmlReplacer(s, htmlNospaceReplacementTable, false)
|
|
}
|
|
|
|
// attrEscaper escapes for inclusion in quoted attribute values.
|
|
func attrEscaper(args ...interface{}) string {
|
|
s, t := stringify(args...)
|
|
if t == contentTypeHTML {
|
|
return htmlReplacer(stripTags(s), htmlNormReplacementTable, true)
|
|
}
|
|
return htmlReplacer(s, htmlReplacementTable, true)
|
|
}
|
|
|
|
// rcdataEscaper escapes for inclusion in an RCDATA element body.
|
|
func rcdataEscaper(args ...interface{}) string {
|
|
s, t := stringify(args...)
|
|
if t == contentTypeHTML {
|
|
return htmlReplacer(s, htmlNormReplacementTable, true)
|
|
}
|
|
return htmlReplacer(s, htmlReplacementTable, true)
|
|
}
|
|
|
|
// htmlEscaper escapes for inclusion in HTML text.
|
|
func htmlEscaper(args ...interface{}) string {
|
|
s, t := stringify(args...)
|
|
if t == contentTypeHTML {
|
|
return s
|
|
}
|
|
return htmlReplacer(s, htmlReplacementTable, true)
|
|
}
|
|
|
|
// htmlReplacementTable contains the runes that need to be escaped
|
|
// inside a quoted attribute value or in a text node.
|
|
var htmlReplacementTable = []string{
|
|
// https://www.w3.org/TR/html5/syntax.html#attribute-value-(unquoted)-state
|
|
// U+0000 NULL Parse error. Append a U+FFFD REPLACEMENT
|
|
// CHARACTER character to the current attribute's value.
|
|
// "
|
|
// and similarly
|
|
// https://www.w3.org/TR/html5/syntax.html#before-attribute-value-state
|
|
0: "\uFFFD",
|
|
'"': """,
|
|
'&': "&",
|
|
'\'': "'",
|
|
'+': "+",
|
|
'<': "<",
|
|
'>': ">",
|
|
}
|
|
|
|
// htmlNormReplacementTable is like htmlReplacementTable but without '&' to
|
|
// avoid over-encoding existing entities.
|
|
var htmlNormReplacementTable = []string{
|
|
0: "\uFFFD",
|
|
'"': """,
|
|
'\'': "'",
|
|
'+': "+",
|
|
'<': "<",
|
|
'>': ">",
|
|
}
|
|
|
|
// htmlNospaceReplacementTable contains the runes that need to be escaped
|
|
// inside an unquoted attribute value.
|
|
// The set of runes escaped is the union of the HTML specials and
|
|
// those determined by running the JS below in browsers:
|
|
// <div id=d></div>
|
|
// <script>(function () {
|
|
// var a = [], d = document.getElementById("d"), i, c, s;
|
|
// for (i = 0; i < 0x10000; ++i) {
|
|
// c = String.fromCharCode(i);
|
|
// d.innerHTML = "<span title=" + c + "lt" + c + "></span>"
|
|
// s = d.getElementsByTagName("SPAN")[0];
|
|
// if (!s || s.title !== c + "lt" + c) { a.push(i.toString(16)); }
|
|
// }
|
|
// document.write(a.join(", "));
|
|
// })()</script>
|
|
var htmlNospaceReplacementTable = []string{
|
|
0: "�",
|
|
'\t': "	",
|
|
'\n': " ",
|
|
'\v': "",
|
|
'\f': "",
|
|
'\r': " ",
|
|
' ': " ",
|
|
'"': """,
|
|
'&': "&",
|
|
'\'': "'",
|
|
'+': "+",
|
|
'<': "<",
|
|
'=': "=",
|
|
'>': ">",
|
|
// A parse error in the attribute value (unquoted) and
|
|
// before attribute value states.
|
|
// Treated as a quoting character by IE.
|
|
'`': "`",
|
|
}
|
|
|
|
// htmlNospaceNormReplacementTable is like htmlNospaceReplacementTable but
|
|
// without '&' to avoid over-encoding existing entities.
|
|
var htmlNospaceNormReplacementTable = []string{
|
|
0: "�",
|
|
'\t': "	",
|
|
'\n': " ",
|
|
'\v': "",
|
|
'\f': "",
|
|
'\r': " ",
|
|
' ': " ",
|
|
'"': """,
|
|
'\'': "'",
|
|
'+': "+",
|
|
'<': "<",
|
|
'=': "=",
|
|
'>': ">",
|
|
// A parse error in the attribute value (unquoted) and
|
|
// before attribute value states.
|
|
// Treated as a quoting character by IE.
|
|
'`': "`",
|
|
}
|
|
|
|
// htmlReplacer returns s with runes replaced according to replacementTable
|
|
// and when badRunes is true, certain bad runes are allowed through unescaped.
|
|
func htmlReplacer(s string, replacementTable []string, badRunes bool) string {
|
|
written, b := 0, new(strings.Builder)
|
|
r, w := rune(0), 0
|
|
for i := 0; i < len(s); i += w {
|
|
// Cannot use 'for range s' because we need to preserve the width
|
|
// of the runes in the input. If we see a decoding error, the input
|
|
// width will not be utf8.Runelen(r) and we will overrun the buffer.
|
|
r, w = utf8.DecodeRuneInString(s[i:])
|
|
if int(r) < len(replacementTable) {
|
|
if repl := replacementTable[r]; len(repl) != 0 {
|
|
if written == 0 {
|
|
b.Grow(len(s))
|
|
}
|
|
b.WriteString(s[written:i])
|
|
b.WriteString(repl)
|
|
written = i + w
|
|
}
|
|
} else if badRunes {
|
|
// No-op.
|
|
// IE does not allow these ranges in unquoted attrs.
|
|
} else if 0xfdd0 <= r && r <= 0xfdef || 0xfff0 <= r && r <= 0xffff {
|
|
if written == 0 {
|
|
b.Grow(len(s))
|
|
}
|
|
fmt.Fprintf(b, "%s&#x%x;", s[written:i], r)
|
|
written = i + w
|
|
}
|
|
}
|
|
if written == 0 {
|
|
return s
|
|
}
|
|
b.WriteString(s[written:])
|
|
return b.String()
|
|
}
|
|
|
|
// stripTags takes a snippet of HTML and returns only the text content.
|
|
// For example, `<b>¡Hi!</b> <script>...</script>` -> `¡Hi! `.
|
|
func stripTags(html string) string {
|
|
var b bytes.Buffer
|
|
s, c, i, allText := []byte(html), context{}, 0, true
|
|
// Using the transition funcs helps us avoid mangling
|
|
// `<div title="1>2">` or `I <3 Ponies!`.
|
|
for i != len(s) {
|
|
if c.delim == delimNone {
|
|
st := c.state
|
|
// Use RCDATA instead of parsing into JS or CSS styles.
|
|
if c.element != elementNone && !isInTag(st) {
|
|
st = stateRCDATA
|
|
}
|
|
d, nread := transitionFunc[st](c, s[i:])
|
|
i1 := i + nread
|
|
if c.state == stateText || c.state == stateRCDATA {
|
|
// Emit text up to the start of the tag or comment.
|
|
j := i1
|
|
if d.state != c.state {
|
|
for j1 := j - 1; j1 >= i; j1-- {
|
|
if s[j1] == '<' {
|
|
j = j1
|
|
break
|
|
}
|
|
}
|
|
}
|
|
b.Write(s[i:j])
|
|
} else {
|
|
allText = false
|
|
}
|
|
c, i = d, i1
|
|
continue
|
|
}
|
|
i1 := i + bytes.IndexAny(s[i:], delimEnds[c.delim])
|
|
if i1 < i {
|
|
break
|
|
}
|
|
if c.delim != delimSpaceOrTagEnd {
|
|
// Consume any quote.
|
|
i1++
|
|
}
|
|
c, i = context{state: stateTag, element: c.element}, i1
|
|
}
|
|
if allText {
|
|
return html
|
|
} else if c.state == stateText || c.state == stateRCDATA {
|
|
b.Write(s[i:])
|
|
}
|
|
return b.String()
|
|
}
|
|
|
|
// htmlNameFilter accepts valid parts of an HTML attribute or tag name or
|
|
// a known-safe HTML attribute.
|
|
func htmlNameFilter(args ...interface{}) string {
|
|
s, t := stringify(args...)
|
|
if t == contentTypeHTMLAttr {
|
|
return s
|
|
}
|
|
if len(s) == 0 {
|
|
// Avoid violation of structure preservation.
|
|
// <input checked {{.K}}={{.V}}>.
|
|
// Without this, if .K is empty then .V is the value of
|
|
// checked, but otherwise .V is the value of the attribute
|
|
// named .K.
|
|
return filterFailsafe
|
|
}
|
|
s = strings.ToLower(s)
|
|
if t := attrType(s); t != contentTypePlain {
|
|
// TODO: Split attr and element name part filters so we can whitelist
|
|
// attributes.
|
|
return filterFailsafe
|
|
}
|
|
for _, r := range s {
|
|
switch {
|
|
case '0' <= r && r <= '9':
|
|
case 'a' <= r && r <= 'z':
|
|
default:
|
|
return filterFailsafe
|
|
}
|
|
}
|
|
return s
|
|
}
|
|
|
|
// commentEscaper returns the empty string regardless of input.
|
|
// Comment content does not correspond to any parsed structure or
|
|
// human-readable content, so the simplest and most secure policy is to drop
|
|
// content interpolated into comments.
|
|
// This approach is equally valid whether or not static comment content is
|
|
// removed from the template.
|
|
func commentEscaper(args ...interface{}) string {
|
|
return ""
|
|
}
|